def saml_client(metadata):
metadata_url = flask.url_for('saml_metadata', _external=True)
acs_url = flask.url_for('saml_acs', _external=True)
config = saml2.config.Config()
config.load({
'entityid': metadata_url,
'metadata': {
'inline': [metadata]
},
'service': {
'sp': {
'endpoints': {
'assertion_consumer_service': [
(acs_url, saml2.BINDING_HTTP_POST),
],
},
# Without this, the saml2 library "helpfully" keeps track of
# the requests we've issued and rejects ones it doesn't know
# about. The client object is not persistent here, though.
'allow_unsolicited': True,
},
},
})
client = saml2.client.Saml2Client(config=config)
return client
def get_saml2_config():
config = saml2.config.Config()
saml_settings = {
'metadata': {
'remote': [{
'url': current_app.config['SAML2_METADATA_URL'],
}]
},
'entityid': absolute_url(),
'service': {
'sp': {
'endpoints': {
'assertion_consumer_service': [
(absolute_url('/auth/saml'), saml2.BINDING_HTTP_POST)
]
},
'allow_unsolicited': True,
'authn_requests_signed': False,
'want_assertions_signed': True,
'want_response_signed': False
}
}
}
if current_app.config['SAML2_ENTITY_ID']:
saml_settings['entityid'] = current_app.config['SAML2_ENTITY_ID']
if current_app.config['SAML2_CONFIG'].get('metadata'):
saml_settings['metadata'] = current_app.config['SAML2_CONFIG']['metadata']
merge(saml_settings, current_app.config['SAML2_CONFIG']) # allow settings override
config.load(saml_settings)
config.allow_unknown_attributes = True
return config
def _get_client(metadata, allow_unknown_attributes=True):
acs_url = flask.url_for('login_acs', _external=True)
metadata_url = flask.url_for('metadata', _external=True)
settings = {
'entityid': metadata_url,
'metadata': {
'inline': [metadata],
},
'service': {
'sp': {
'endpoints': {
'assertion_consumer_service': [
(acs_url, saml2.BINDING_HTTP_POST),
],
},
# Don't verify that the incoming requests originate from us via
# the built-in cache for authn request ids in pysaml2
'allow_unsolicited': True,
# Don't sign authn requests, since signed requests only make
# sense in a situation where you control both the SP and IdP
'authn_requests_signed': False,
'logout_requests_signed': True,
'want_assertions_signed': True,
'want_response_signed': False,
},
},
}
config = saml2.config.Config()
config.load(settings)
config.allow_unknown_attributes = allow_unknown_attributes
client = saml2.client.Saml2Client(config=config)
return client
def get_saml2_config():
config = saml2.config.Config()
default_config = {
'entityid': absolute_url(),
'service': {
'sp': {
'endpoints': {
'assertion_consumer_service':
[(absolute_url('/auth/saml'), saml2.BINDING_HTTP_POST)]
}
}
}
}
config.load(deepmerge(default_config, current_app.config['SAML2_CONFIG']))
return config
def get_saml2_config():
config = saml2.config.Config()
default_config = {
'entityid': absolute_url(),
'service': {
'sp': {
'endpoints': {
'assertion_consumer_service': [
(absolute_url('/auth/saml'), saml2.BINDING_HTTP_POST)
]
}
}
}
}
config.load(deepmerge(default_config, current_app.config['SAML2_CONFIG']))
return config
from synapse.api.errors import RedirectException
from tests.test_utils import simple_async_mock
from tests.unittest import HomeserverTestCase, override_config
# Check if we have the dependencies to run the tests.
try:
import saml2.config
from saml2.sigver import SigverError
has_saml2 = True
# pysaml2 can be installed and imported, but might not be able to find xmlsec1.
config = saml2.config.SPConfig()
try:
config.load({"metadata": {}})
has_xmlsec1 = True
except SigverError:
has_xmlsec1 = False
except ImportError:
has_saml2 = False
has_xmlsec1 = False
# These are a few constants that are used as config parameters in the tests.
BASE_URL = "https://synapse/"
@attr.s
class FakeAuthnResponse:
ava = attr.ib(type=dict)
assertions = attr.ib(type=list, factory=list)
def create_client():
config = saml2.config.SPConfig()
config.load(CONFIG['saml_settings'])
saml_client = saml2.client.Saml2Client(config)
return saml_client
def create_client():
config = saml2.config.SPConfig()
config.load(CONFIG['saml_settings'])
saml_client = saml2.client.Saml2Client(config)
return saml_client